Privacy notice during Covid-19
Covid-19 and your information – Updated on Thursday 9 April 2020
This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice.
The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health.
Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.
Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak.
Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak.
Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.
National data opt-outs
During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes national data opt-outs.
However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.
It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.
Sharing your data
In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you or your nominated person/carer, either by phone, text or email.
During this period of emergency we may offer you a consultation via telephone or video- conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.
We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.
Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here
NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital.
New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.
In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.
We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.
General Data Protection Regulation (GDPR)
The purpose of this notice is to inform you of the type of information that Wirral Community Health and Care NHS Foundation Trust (WCHC) holds; how that information is used; who we may share that information with; and how we keep it secure and confidential.
WCHC are registered as a Data Controller with the Information Commissioner’s Office (ICO) and are committed to protecting the rights of individuals in line with the General Data Protection Regulation (GDPR) 2016.
Wirral Community Health and Care NHS Foundation Trust
Telephone: 0151 514 2888
Data Protection Officer
WCHC’s Data Protection Officer can be contacted through email@example.com
What information is collected about me?
The trust collects a combination of personal and special category information that includes:
- basic details, such as your name, address, telephone numbers, date of birth
- details relating to your next of kin
- contacts we have had with you, such as appointments and home visits
- details and records of treatment and care, including notes and reports about your health/care needs
- images for example photograph, x-rays, scans
- test results eg Point of Care Testing
- financial information relevant to your care and support requirements
- visual images eg, CCTV images are used as part of the building security
- responses to surveys
- information relating to complaints and concerns
- racial and ethnic origin
- offences (including alleged offences), criminal proceedings, outcomes and sentences
- religion or similar beliefs
- physical or mental health details
- sexual orientation
- phone recordings – you will be informed if a phone call is being recorded
We have no right to ask you about information that is not relevant to your care.
Why is information collected about me?
The health and social care professionals caring for you keep records about your health and any treatment or care you receive. This information is either written down or stored electronically.
These records are then used to guide and manage the care you receive. This is to ensure that:
- those involved in your care have accurate and up-to-date information to assess your needs
- we can assess the quality of care you have received
- we can offer you or your next of kin identified care or support
- if you need to complain about the care you receive, your concerns or complaints can be properly investigated
To help the NHS
Information is also used to help support the future development of the NHS, ensuring the services provided to our patients/service users is always improving. Some areas where we may process partly/fully anonymised data include:
- analysis of statistical data to review NHS performance and key performance indicators
- to aid the completion of audits across our NHS services
- to review and monitor how we spend public money
- to help plan and develop strategic direction for the future delivery of our NHS service
- to teach and train health/social care professionals
- to conduct health/social care research and development
- to maintain our accounts and records and review and monitor how we spend public money
What is the legal basis for processing my information?
The lawful bases for processing personal data are set out in Article 6 of the General Data Protection Regulation and Article 9 for the processing of special categories data.
We collect and process your personal data for a variety of purposes as outlined in this Privacy Notice.
In many cases, separate consent is not required and therefore we will rely on another ‘legal basis for processing.’ These include:
Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
Health/Social Care Purposes: the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of working capacity of the employee, medical diagnosis, the provision of health or social care treatment or the management of health or social care services. Occasionally we may ask you for your consent.
Managing Preferences and Withdrawing Consent
Consent means offering individuals genuine choice and control. Under the General Data Protection Regulation, consent requires a positive opt-in. We will not use pre-ticked boxes or any other method of consent by default.
We will not use pre-ticked boxes or any other method of consent by default. As explicit consent requires a very clear and specific statement of consent, we will ensure that this is done.
- we will keep consents separate from other terms and conditions
- be specific and granular, clear and concise
- we will name any third party controllers who will rely on consent as required
- make it easy for people to withdraw consent
- keep evidence of consent – who, when, how and what individuals were told
- keep consent under review and refresh if and when anything changes
- avoid making consent a precondition of a service
How do we keep your information confidential and safe?
Information is retained in secure electronic and paper records and access is restricted to those who need to know. Access to these records is strictly controlled and fully auditable.
Everyone working for the NHS has a legal duty to keep information about you confidential and secure under Data Protection Legislation, Caldicott Principles and Common Law Duty of Confidentiality.
Our staff are trained to handle your information correctly and protect your privacy.
Who will my information be shared with?
Where lawful and necessary we will share appropriate, relevant and proportionate personal data with the following:
- health or social care providers, education services, local council and voluntary/third sector organisations who are directly involved in your care.
- organisations that we have contracted or have been contracted by to provide a service. We will only ever share your data if we are satisfied that our partners or suppliers have sufficient measures in place to protect your data in the same way that we do.
- auditors and regulatory bodies such as the Care Quality Commission.
- legal claims and complaints
We are also required by law to report certain information to the appropriate authorities. Occasions when we must pass on information include:
- notification of a new birth
- where we encounter infectious diseases which may endanger the safety of others, such as meningitis or measles
- where a formal court order has been issued
- when the Police request information as part of a criminal investigation
Wirral Care Record
Providing health and social care professionals with an overview of your health and social care information in one digital record. Further information can be found here:
Cheshire Care Record
A local electronic patient record that allows health and social care professionals directly involved in your care, to share a summary of your medical record. Further information can be found here: www.cheshirecarerecord.co.uk
National Data Opt-Out Programme
The Trust is one of many organisations working in the health and care system to improve care for patients and the public. Whenever you use a health or care service important information about you is collected in a record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.
WCHC comply with the national data opt-out policy.
External Systems and third party providers – there are areas of work where we use externally provided systems (such as our clinical system) to manage your information for service delivery, monitoring and improvement. We ensure that appropriate controls are in place to mitigate risk and ensure compliance with our requirements.
Please note that if you provide us with your mobile number then we may use this to send you a reminder about your appointment, test results and to ask you for feedback. Please let us know if you do not wish to receive these on your mobile.
Your information is never collected or sold for direct marketing purposes. Your information is not processed overseas.
How long do you keep my information for?
Information is held for specified periods of time as set out in the Information Governance Alliance ‘Records Management Code of Practice for Health and Social Care 2016.’
Your legal rights?
Under certain circumstances, you have the following rights under data protection laws in relation to your personal data:
- Request access to your personal data (commonly known as a ‘subject access request’). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us and any changes will be at the discretion of the health professional/social worker involved in your care.
Any request for access to records should be forwarded on to:
Victoria Central Health Centre
Mill Lane, Wallasey
Wirral CH44 5UF
Telephone: 0151 604 7592
Wirral Community Health and Care NHS Foundation Trust
Request erasure of your personal data
This enables you to ask us to delete or remove personal data where there is no good reason for us continue to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which overrides your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you therefore, this right is unlikely to apply to the information held by the trust.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above or have any concerns about your information, please contact our Data Protection Officer:
Tel: 0151 514 2202
If you are still unhappy with the outcome of your enquiry you can write to:
The Information Commissioner
Telephone: 01625 545700
We are committed to making our publications as accessible as possible. If you need this document in an alternative format, for example, large print, Braille or a language other than English, please speak to the Health or Social Care Professional involved with your care.